The plaintiff seeks class certification, an order to compel the firm to use better data protection safeguards and unspecified actual and punitive damages.
Thompson Coburn has been hit with a federal lawsuit seeking class action certification and unspecific actual and punitive damages for 305,088 current and former patients of a client, Presbyterian Healthcare Services, whose personal information was allegedly exposed in a May 2024 cyberattack.
In the complaint, surfaced by Law.com Radar, the named plaintiff, Heidi Mathiasen, brings negligence, breach of third-party beneficiary contract and negligence per se causes of action against Thompson Coburn on behalf of herself and class members. The suit was filed Wednesday in the Eastern District of Missouri.
Mathiasen seeks class certification, an order enjoining the defendant fromo engaging in wrongful conduct related to the misuse and disclosure of her and class members' private information, and from refusing to issue "prompt, complete and accurate disclosures" to them. She also seeks to compel the firm to use "appropriate methods and policies" for consumer data collection, storage and safety and to disclose the type of private information disclosed during the data breach, and an order directing the firm to pay for at least 10 years of credit monitoring for the class members.
She also seeks unspecified actual and punitive damages from Thompson Coburn.
When asked for comment on the lawsuit, the firm wrote in an emailed statement, "Our firm promptly detected unauthorized activity within our network in late May. Upon detection of the suspicious activity, we immediately took steps to secure our systems and launched an investigation with the assistance of third-party forensic specialists to determine the nature and scope of the event. While the investigation determined that an unauthorized actor had accessed certain information within our network, there is no indication that any data has been misused. The confidentiality and security of the information in our care are among our highest priorities. We are committed to protecting the data entrusted to us and continue to further enhance our security posture."
The plaintiff alleges in the complaint that the firm had in its possession personally identifiable information and protected health information for current and former patients of Presbyterian Healthcare Services, and that data was compromised during the data breach on May 28 and 29.
"The private information was 'viewed or taken' by cyber-criminals who perpetrated the attack and remains in the hands of those cyber-criminals. According to defendant's report to the Health and Human Services Office of Civil Rights, 305,088 individuals were affected," the complaint alleges.
The data breach occured, the plaintiff alleges in the complaint, as a result of the firm's "failure to implement adequate and reasonable cyber-security procedures and protocols." The complaint alleges the firm maintained the information in a "reckless manner," and the breach would have been discovered earlier if the firm had "properly monitored" its property.
"Because of the data breach, plaintiff and class members have been exposed to a heightened and imminent risk of fraud and identify theft" and may have to pay for credit monitoring services, the complaint alleges.
In a notice letter the firm sent to the class members on Nov. 8, they were informed that information that may have been involved includes their name, medical record number, patient account number, prescription/treatment information, clinical information, and medical provider information.
The plaintiffs are represented by Daniel Harvath of Harvath Law Group in Webster Groves, Missouri, and Leigh Montgomery of EKSM in Houston. Neither immediately returned telephone messages.